Skip to content

CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments.

License

Notifications You must be signed in to change notification settings

tenable/cnappgoat

Repository files navigation

CNAPPGoat logo: a smiling goat with a purple cloud background

made-with-Go GitHub Release Go Report Card License: Apache-2.0

Maintainer

CNAPPgoat

CNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool – specifically engineered to facilitate practice arenas for defenders and pentesters. Its main function is to deploy intentionally vulnerable environments across multiple cloud service providers, to help you sharpen your skills in exploiting, detecting, and preventing such vulnerabilities.

Gif demonstrating an example of using AccessUndenied

Warning: CNAPPgoat deploys vulnerable environments. Only use it within safe, controlled sandboxes.

Getting Started

CNAPPgoat operates as a Command Line Interface (CLI) tool, capable of deploying vulnerable environments to a multitude of cloud service providers. Built with Go and utilizing Pulumi and the Pulumi automation API, it ensures seamless environment deployment. One of its unique features is its modular design, which allows for effortless extension to support an array of cloud service providers and new vulnerable environments. As of now, CNAPPgoat supports AWS, Azure, and GCP.

Prerequisites for running CNAPPgoat

Pulumi dependencies and plugins will install in an on-demand basis according to each scenario's requirements when you provision your first environment. This means the first time provisioning might take a little longer than subsequent ones.

Installation

Homebrew

CNAPPgoat can be easily installed for macOS users using the Homebrew package manager.

brew tap ermetic-research/cnappgoat
brew install cnappgoat

Download the release directly for macOS, Linux, and macOS.

  1. Download the latest release from here.

    tar -xvf cnappgoat-<version>.tar.gz
    cd cnappgoat-<version>
  2. (Optional) If you'd like to add the extracted binary to your system's PATH (you don't have to, you can just run it from the local directory as ./cnappgoat):

Option A: Move to a directory in your PATH (e.g., /usr/local/bin for macOS and Linux)

mv cnappgoat /usr/local/bin/

Option B: Add the directory containing the binary to your PATH

For bash:

echo 'export PATH=$PATH:<path_to_directory_containing_cnappgoat>' >> ~/.bashrc
source ~/.bashrc

For zsh:

echo 'export PATH=$PATH:<path_to_directory_containing_cnappgoat>' >> ~/.zshrc
source ~/.zshrc

Replace <path_to_directory_containing_cnappgoat> with the absolute path to the directory where cnappgoat binary resides.

Usage

NAME:
   cnappgoat - A multicloud open-source tool for deploying vulnerable-by-design cloud resources

USAGE:
   cnappgoat [global options] command [command options] [arguments...]

VERSION:
   0.1.0-beta, date: 2023-08-02T13:02:46Z, commit: 6bef61857d9f3cf88215269df8976f96317711dc


COMMANDS:
   clean      clean and remove all created resources and delete all scenarios and any related files
   describe   describe a scenario
   destroy    Destroy CNAPPgoat module scenarios
   list       List CNAPPgoat module scenarios
   provision  Provision CNAPPgoat module scenarios
   help, h    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug        Enable debug mode (default: false)
   --help, -h     show help
   --version, -v  print the version
Command Description Usage
list Lists all available scenarios for provisioning. cnappgoat list
describe Provides detailed information about the specified scenario. cnappgoat describe <scenario name>
provision Provisions the scenario specified by the scenario name. To provision all scenarios, simply use cnappgoat provision cnappgoat provision <scenario name>
destroy Destroys the scenario specified by the scenario name. To destroy all scenarios, simply use cnappgoat destroy cnappgoat destroy <scenario name>
clean Cleans up all scenarios and deletes the .cnappgoat local directory cnappgoat clean
--version, -v Displays the current version of CNAPPgoat cnappgoat --version
--help, -h Displays the help menu. cnappgoat --help

You may use multiple arguments separated by spaces. For example:

cnappgoat provision <scenario-1> <scenario-2> <scenario-N>

Flags:

  • --module - Filters scenarios by module (e.g. CSPM, CIEM, CWPP, DSPM, etc.)
  • --platform - Filters scenarios by platform (e.g. AWS, Azure, GCP)
  • --force - Enables force mode (unlock locked stacks with pulumi cancel)
  • --debug - Enables debug logging.

These flags are command flags and should be placed after the command. For example:

cnappgoat provision --module CSPM --platform AWS

This command will provision all AWS CSPM scenarios.

CNAPPgoat Scenarios

CNAPPgoat downloads scenarios from the cnappgoat-scenarios repository at its first run of every day, these scenarios are automatically downloaded when you run CNAPPgoat and are stored in the ~/.cnappgoat/scenarios directory.

Setup and Configuration

Before you can use CNAPPgoat, you need to set up your cloud credentials for AWS, Azure, and GCP. CNAPPgoat uses the default credentials for each provider. Follow the steps below to set up your credentials:

AWS Credentials

  1. Install the AWS CLI by following the instructions here.

  2. Configure your AWS credentials by running:

    aws configure

    You'll be prompted to enter your Access Key ID, Secret Access Key, and default region name.

Azure Credentials

  1. Install the Azure CLI by following the instructions here.

  2. Log in to your Azure account by running:

    az login

    This will open a new browser window for you to log in. After logging in, your credentials will be stored for future use.

GCP Credentials

  1. Install the Google Cloud SDK by following the instructions here.

  2. Authenticate with Google Cloud by running:

    gcloud auth login

    This will open a new browser window for you to log in. After logging in, your credentials will be stored for future use.

By setting these credentials, you will be able to deploy scenarios on AWS, Azure, and GCP using CNAPPgoat. If you're planning on using CNAPPgoat with a different provider, make sure to configure the credentials accordingly.

Learn more

To learn more about CNAPPgoat, check out the post on the Ermetic blog: https://ermetic.com/blog/cloud/cnappgoat-multicloud-open-source-tool-for-deploying-vulnerable-by-design-cloud-resources/

Acknowledgements

Similar projects

CNAPPgoat provisions a breadth of vulnerable scenarios on multiple clouds to test detection and prevention capabilities. There are other great projects out there for vulnerable cloud environments that are focused on different areas, such as exploitation, detection, CTF (capture the flag) scenarios, etc. We were inspired by these tools and projects, and we recommend checking them out:

More challenges and tools can be found in the Awesome Cloud Security Challeges repo by Mike Privitte, our list focused specifically on vulnerable-by-design cloud environments that are deployed by users in their own sandbox.

Contact

To email the project team, contact [email protected]

Disclaimer

  • CNAPPgoat is provided "as is" and without any warranty or support.
  • This is a beta version. The project is still in development, so we apologize for any growing pains. We will release a stable version in the coming weeks.

About

CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments.

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages